CSA - no exceptions/ no analysis

jmutuski · ‎05-16-2007

I am currently testing. I have an event (1000's) I want to create an exception to allow the activity, but the entry gives no specifics and the exception and behavior options of the wizard are greyed out.

What do people do in this situation?

jmutuski · ‎05-16-2007

The actual event log message is below:

TESTMODE: The process '' (as user ??) attempted to access the registry key 'MACHINE' and value ''. The attempted access was an open (operation = OPEN/KEY). The operation would have been denied.

codycornell · ‎05-16-2007

The dreaded remote application alerts. Couple of things that I use, but a couple questions/caveats first.

Q1. Is there really no user information? Or did you leave out the user for privacy/security concerns?

Q2. It appears you are in test mode. Test a few of the workstations that are effected in Protect mode and if they do not have issues you might want to create a Priority Deny rule and disable logging on it.

Strategies:

1. Set up a monitoring rule for registry access for remote applications, then based on those events create a white list of accessible registry keys.

2. If you do have user data, create a user state rule module to allow remote registry access for remote applications base on that user state.

jmutuski · ‎05-16-2007

No user data - for real.

Cannot do the protect mode - to early in the pilot and this is a very sensitive environment.

My hunch is that this is good activity given it is running on a large portion of the installed base.

codycornell · ‎05-16-2007

You can create a very broad but insecure rule that would allow remote application, from any user to access the registry. I would not recommend this but you could do this in test mode and start working you way backward to increase the granularity and security of the rule.

I would still recommend creating the monitor rule around remote client accessing the registry, also maybe a file access rule around accessing remote clients, but I've never tried that, but would be interested in the results.

jmutuski · ‎05-16-2007

I've created the monitoring rule, right now it is creating the same entries that were already happening.

codycornell · ‎05-16-2007

Do you know what application is causing the issue? Can you get to (physically/RDP) the devices causing and accepting the events? You might want to run process explorer (http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx) and process monitor (http://www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.mspx)to discover the applications in question. Then you can allow the associated application regardless if it is showing up in the event log and see if that reduces the event load.

Also if the monitor rule isn't helping you might want to disable it. They can run up the event count fast.

tsteger1 · ‎05-16-2007

What are the client computer roles? Are they Windows domain members? It sounds like domain activity trying to update\verify local machine registry values. If it's a domain controller generating the alerts, there is a role for those defined in a rule module.

If it's local or remote shares trying to update\read MRU values, that's a different issue.